Senate Finance Committee Chairman Ron Wyden, D-Ore., and Sen. Mark Warner, D-Va., have teamed up to introduce “commonsense reform” legislation aimed at stemming the rising tide of riots. Cyberattacks invade Americans’ privacy and cause massive disruptions to care across the country.
Warner said in a statement Thursday that the Health Infrastructure Security and Accountability Act would not only mandate cybersecurity protocols but also increase funding for rural and Hospitals are underserved to meet new cybersecurity standards.
WHY IS IT IMPORTANT?
If passed into law, the proposed reforms in the bill would result in increased audits of healthcare organizations. They will also have to pay higher user fees for services under the new regulations.
Warner, who has focused on improving the industry’s cybersecurity posture and has urged the U.S. Department of Health and Human Services to end voluntary cybersecurity requirements, issued a document 2022 policy calls for the creation of an expert on cybersecurity in the healthcare sector, said in a statement that he believes voluntary standards lack the teeth needed to protect the most private data of patients and ongoing care.
The lawmakers made it clear that they believe some of the largest healthcare organizations are “ignoring cybersecurity standards.”
“Major corporations like UnitedHealth are defeating Cybersecurity 101 and American families are suffering as a result,” Wyden said in the statement.
“The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to the health and privacy of Americans.”
The Health Infrastructure Security and Accountability Act, according to a fact sheet on the proposed legislation, calls for “enhanced standards” that apply to “systemically important” entities and modernize HIPAA-mandated minimum cybersecurity standards for healthcare providers, health plan clearinghouses, and business associates .
The bill would also require covered entities and business associates to submit to annual independent cybersecurity audits and follow other measures to ensure they can restore service promptly after when something goes wrong – “which HHS may exempt small suppliers from.”
Top executives would have to certify compliance with the requirements each year, and HHS would be required to “proactively audit the data security practices of at least 20 regulated entities each year.”
The bill also proposes eliminating statutory limits on HHS’s authority to impose fines so that large corporations, like United Health Group, “face fines large enough to deter a security situation.” loose network”.
While additional security monitoring and enforcement would be paid for by user fees for all regulated entities, the legislative proposal also provides $800 million to pay for security standards enhanced network at rural and urban safety net hospitals and $500 million for all hospitals.
“With hacks that have targeted organizations across the country, it is time to move beyond voluntary standards and ensure healthcare providers and take cybersecurity and patient safety seriously.”
BIGGER TREND
Warner and Wyden’s announcement noted that after the Senate Finance Committee held a hearing in May with UnitedHealth Group CEO Andrew Witty about the February cyberattack on Change Healthcare, a UHG subsidiary Wyden has called on the Biden administration to investigate the mega-corporation and take it into custody. responsible for its “lax cybersecurity”.
Witty pledges to rebuild the struggling healthcare clearinghouse with cloud-based security. The change also does away with multi-factor authentication, leaving organizations vulnerable to cyberattacks.
In a strategy paper released in December, HHS also called for new cybersecurity requirements for hospitals. It also outlines cybersecurity implementation goals specific to the voluntary healthcare sector.
“Funding and volunteering goals alone will not drive the cyber-related behavior change needed across the health care sector,” the agency said in a statement at the time.
Meanwhile, the American Hospital Association has rejected proposed strategies that it says would punish hospitals for cyberattacks.
“No organization, including federal agencies, is immune to cyberattacks,” said Rick Pollack, president and CEO of the AHA. Healthcare IT news.
“Imposing fines or cutting Medicare payments would reduce the resources hospitals need to fight cybercrime and would be counterproductive to our common goal of preventing attacks network.”
Case in point: The Centers for Medicare and Medicaid Services recently sent written data breach notifications to 946,801 people when it was ensnared, along with countless companies in sectors worldwide, upon discovering A vulnerability emerged in a third-party application used for file transfers earlier this year.
CMS said in the letter that protected health information or other personally identifiable information may have been compromised as a result of a cyber breach involving MOVEit software.
ON RECORD
Andrea Palm, deputy secretary of HHS, said in a statement: “Cybersecurity remains an ever-evolving challenge in our healthcare ecosystem and more must be done to prevent cyber attacks and ensuring patient safety”. “Clear accountability measures and mandatory cybersecurity requirements for all organizations holding sensitive data are essential.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place from October 31 to November 1 in Washington, DC. Learn more and register.
